bigforceone

Privacy Policy

FORCE — force.bigforgeone.com and the FORCE Service

Version 1.0 · Effective Date: April 24, 2026

This Privacy Policy describes how Big One Platforms (“we,” “us,” or “our”), a trade name of Big One Platforms, Inc., a Florida corporation, collects, uses, and discloses information when you (1) visit our website at force.bigforgeone.com and any subdomains (the “Site”) and (2) use the FORCE platform and related services (the “Service,” and together with the Site, the “Properties”).

This Privacy Policy is part of our Terms of Use and, for subscribing customers, our FORCE License and Subscription Agreement. By using the Properties, you acknowledge this Privacy Policy.

1. Scope and Our Role

1.1 Two Contexts

This Privacy Policy covers two distinct contexts of data collection:

Site Visitors: When you visit force.bigforgeone.com, we collect information about you — such as contact details you submit through forms, technical information about your visit, and cookies — for our own business purposes, including marketing, customer acquisition, and website analytics. For this information, we act as the controller and we determine the purposes and means of processing.

Service Customers and End Users: When your organization subscribes to the FORCE Service and you use the Service, your organization enters and controls data within the Service, including data about your organization's systems, personnel, evidence artifacts, compliance posture, and assessment activity (“Customer Data”). For Customer Data, your organization is the controller and we are the processor acting on your organization's instructions. Your organization's privacy policy governs how Customer Data is collected and used. If you have questions about Customer Data, please contact your organization.

1.2 What This Policy Does Not Cover

This Privacy Policy does not cover: (a) information collected by any third-party website, service, or application linked from or integrated with the Properties, including authentication providers, cloud infrastructure operated by the customer, and third-party tools used by customers to complement the Service; (b) information collected by our customers through their own use of the Service; or (c) information you provide to us outside the Properties (for example, during an in-person meeting or sales call), which we handle consistently with the principles in this Privacy Policy.

2. Information We Collect — Site Visitors

2.1 Information You Provide to Us

We collect information you voluntarily provide to us through the Site, including:

  • Contact information — name, business email address, phone number, job title, and company name submitted through demo request forms, charter program applications, and contact forms.
  • Firmographic information — company size, industry, contract vehicles, target assessment dates, and other business information you share as part of a charter application or demo request.
  • Correspondence — content of emails, form free-text fields, or other communications you send to us.
  • Event and meeting information — information you share when you schedule a call, attend a webinar, or meet us at industry events.

2.2 Information Collected Automatically

When you visit the Site, we and our service providers automatically collect certain information, including:

  • Device and browser information — IP address, device type, operating system, browser type and version, and referring URL.
  • Usage information — pages visited, time on page, links clicked, scroll depth, and approximate geographic location derived from IP.
  • Cookies and similar technologies — see Section 5.

We use privacy-preserving analytics where feasible and do not load third-party advertising trackers on the Site.

2.3 Information from Third-Party Sources

We may supplement information you provide with information from publicly available sources and business data providers, including LinkedIn, company websites, SAM.gov, and compliance or procurement databases. We use this information for account research, lead qualification, and marketing purposes.

3. Information We Process in the Service

3.1 Customer Data (Processor Role)

Our customer (the “Customer”) is typically an organization that subscribes to FORCE to manage its own regulatory compliance posture. Customers and their authorized end users enter and generate Customer Data, which may include:

  • User account information — names, work email addresses, roles, and authentication identifiers of the Customer's employees and authorized external assessors (such as C3PAOs).
  • Compliance artifacts — System Security Plans, policies, evidence documents, screenshots, attestations, Plan of Action and Milestones (“POA&M”) items, assessment responses, and related records generated through use of the Service.
  • Cloud configuration metadata — data collected from the Customer's AWS, Microsoft 365, Microsoft Azure, or other environments pursuant to read-only credentials the Customer provides, including IAM configurations, policies, audit logs, and security findings.
  • Usage metadata — logs of actions taken in the Service, including evidence uploads, assessment state changes, AI assistant queries, and other in-app activity.

Customer Data may include personal information about the Customer's personnel and, in some cases, personal information about third parties (for example, as reflected in Customer Data logs or documents). The Customer is the controller of Customer Data. We process Customer Data solely on the Customer's instructions and as permitted by the License Agreement and applicable Data Processing Addendum.

3.2 Controlled Unclassified Information

Customer Data may include Controlled Unclassified Information (“CUI”) or Federal Contract Information (“FCI”) subject to DFARS 252.204-7012 or similar obligations. We process such information in a manner consistent with the License Agreement and applicable flow-down requirements. We do not use CUI or FCI for any purpose other than providing and securing the Service for the Customer.

3.3 Service Telemetry and Operational Data

We collect technical telemetry about use of the Service, including performance metrics, error logs, security signals, and aggregated usage statistics (“Service Telemetry”). We use Service Telemetry to operate, maintain, secure, troubleshoot, and improve the Service. Service Telemetry is stored separately from Customer Data where feasible and is not used to target individuals within Customer Data.

4. How We Use Information

4.1 Site Visitor Information

We use Site visitor information for the following purposes:

(a) responding to inquiries and fulfilling demo and charter application requests;

(b) communicating with you about FORCE, including sending marketing communications, event invitations, and product updates, subject to applicable law and your preferences;

(c) operating, maintaining, securing, and improving the Site;

(d) conducting analytics and market research;

(e) preventing, detecting, and responding to fraud, abuse, security incidents, and violations of law or our Terms of Use;

(f) complying with legal obligations and enforcing our rights and agreements;

(g) for any other purpose disclosed to you at collection or to which you consent.

4.2 Customer Data (Service)

We process Customer Data only: (a) to provide, secure, and support the Service in accordance with the License Agreement; (b) to comply with the Customer's documented instructions; (c) to exercise or defend legal claims; and (d) as required by applicable law. We do not sell Customer Data, we do not use Customer Data to train our own general-purpose artificial intelligence or machine learning models, and we do not use Customer Data for advertising.

4.3 Aggregated and De-Identified Information

We may aggregate or de-identify information collected through the Properties so that it cannot reasonably be used to identify any individual or Customer (“Aggregated Data”). We may use Aggregated Data for any lawful purpose, including benchmarking, research, product development, and marketing. Aggregated Data is not considered personal information.

4.4 Legal Basis Where Applicable

Where applicable law requires a legal basis for processing personal information, we rely on one or more of the following: (a) your consent; (b) performance of a contract with you or your organization; (c) our legitimate interests in operating, securing, improving, and marketing the Properties, provided those interests are not overridden by your data protection rights; and (d) compliance with legal obligations.

5. Cookies and Similar Technologies

The Site uses cookies and similar technologies to operate the Site, remember your preferences, and analyze usage. Categories used:

(a) Strictly necessary — required for the Site to function (for example, authentication state on the charter application form).

(b) Analytics — measure how visitors interact with the Site in aggregate. We use privacy-preserving analytics providers that do not use cookies for cross-site tracking where feasible.

(c) Functional — remember your preferences, such as language or form progress.

You can control cookies through your browser settings. Blocking strictly necessary cookies may cause parts of the Site to malfunction. We do not currently respond to “Do Not Track” browser signals because no common industry or legal standard for recognizing such signals has been adopted for our use case.

6. How We Disclose Information

6.1 Service Providers

We share information with service providers that help us operate the Properties, including cloud hosting, analytics, email delivery, payment processing, customer support, and security. We contractually require service providers to use information only to perform services for us and to maintain reasonable safeguards. A current list of subprocessors for the Service is maintained at force.bigforgeone.com/legal/subprocessors.

6.2 Customer Control for Customer Data

For Customer Data, we act on the Customer's instructions. The Customer controls who may access Customer Data, including by inviting external assessors (such as C3PAOs) or by enabling flow-down visibility to a prime contractor.

6.3 Legal Disclosures

We may disclose information if we reasonably believe disclosure is required to: (a) comply with applicable law, regulation, legal process, or governmental request; (b) enforce our agreements, including investigating potential violations; (c) protect our rights, property, or safety, or the rights, property, or safety of our customers or others; or (d) detect, prevent, or address fraud, security, or technical issues. Where legally permitted, we will notify the relevant Customer before disclosing Customer Data in response to a legal request.

6.4 Business Transfers

If we are involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of all or a portion of our assets, information collected through the Properties may be transferred as part of the transaction. In such cases, we will require the recipient to honor the commitments in this Privacy Policy or provide materially similar protections.

6.5 With Your Consent

We may disclose information for any other purpose with your consent.

6.6 No Sale of Personal Information

We do not sell personal information for monetary consideration. We do not engage in “sales” of personal information as that term is defined under California, Colorado, Connecticut, Virginia, or other applicable state privacy laws. We do not engage in “sharing” of personal information for cross-context behavioral advertising.

7. Data Security

We maintain administrative, physical, and technical safeguards designed to protect information collected through the Properties. Safeguards include access controls, encryption in transit and at rest, network segmentation, logging and monitoring, personnel training, and incident response procedures. For the Service specifically, additional safeguards apply as described in our security documentation, available to qualified prospects and customers at force.bigforgeone.com/security and under appropriate confidentiality protections.

No security program is impenetrable. We cannot and do not guarantee that information transmitted to or processed by us will always remain secure. You acknowledge that you provide information at your own risk. For the Service, the Customer is responsible for (a) the security of the Customer's own systems and personnel, (b) selection and safeguarding of authentication credentials, (c) granting and revoking user access, (d) configuration of Customer-managed integrations including cloud service trust relationships, and (e) use of the Service consistent with the License Agreement and applicable law. The Customer is responsible for notifying affected individuals and regulators of breaches that result from causes attributable to the Customer.

8. Breach Notification

If we become aware of a security incident involving personal information that we process as controller and that triggers notification obligations under applicable law — including the Florida Information Protection Act and analogous state or federal laws — we will investigate the incident and provide notifications required by law.

For Customer Data processed in the Service, we will notify the affected Customer of confirmed security incidents without undue delay after becoming aware of them, in accordance with the License Agreement and applicable Data Processing Addendum. The Customer, as controller, is responsible for determining whether breach notification to regulators or affected individuals is required and for making those notifications. We will reasonably cooperate with the Customer in such notifications.

9. Data Retention

We retain information collected through the Site for as long as reasonably necessary for the purposes described in this Privacy Policy, including for fulfilling requests, communicating with you, complying with legal obligations, resolving disputes, and enforcing agreements. Retention periods are determined based on the nature, sensitivity, and volume of the information; the risk of harm from unauthorized use or disclosure; and applicable legal requirements.

For Customer Data, retention is governed by the License Agreement and the Customer's configuration. Upon termination of the License Agreement, we return or delete Customer Data as described in the License Agreement, except as required to be retained by applicable law or for the defense of legal claims.

10. Your Choices and Rights

10.1 Marketing Communications

You may opt out of marketing emails from us by clicking the “unsubscribe” link in any marketing email or by contacting us at privacy@bigforgeone.com. We will continue to send transactional and relationship communications (for example, information about your account or changes to our legal terms) regardless of your marketing preferences.

10.2 Access, Correction, Deletion, and Portability

Depending on where you reside and the applicable law, you may have rights regarding personal information we hold about you, including rights to:

  • request access to the personal information we hold about you;
  • request correction of inaccurate or incomplete personal information;
  • request deletion of personal information, subject to exceptions;
  • request a portable copy of personal information you provided to us;
  • opt out of certain processing, including profiling that produces legal or similarly significant effects;
  • withdraw consent where processing is based on consent;
  • appeal a denial of a rights request.

To exercise a right, email privacy@bigforgeone.com with a clear description of your request and sufficient information to allow us to verify your identity. We will respond within the time required by applicable law. We may decline a request where permitted by law, including if we cannot verify your identity or if an exception applies. We will not discriminate against you for exercising a right.

10.3 Customer Data Requests

If you are an end user of the Service (for example, an employee of a FORCE Customer), please direct rights requests about your personal information in Customer Data to the Customer. We will cooperate with the Customer to fulfill requests in accordance with the License Agreement.

10.4 California Privacy Disclosures

If you are a California resident, the California Consumer Privacy Act (“CCPA”), as amended by the California Privacy Rights Act, may provide you additional rights, including the right to know what personal information we collect, disclose, or sell; the right to delete personal information; the right to correct inaccurate personal information; the right to opt out of the sale or sharing of personal information (note: we do not sell or share personal information as those terms are defined under the CCPA); the right to limit the use of sensitive personal information (note: we do not use sensitive personal information for purposes requiring the limit-use right); and the right to non-discrimination.

Categories of personal information we may collect, as described in CCPA categories: identifiers; commercial information (transaction records for customer accounts); internet and electronic network activity information (usage data, cookies); professional and employment-related information (job title, company); and inferences drawn from the above. Categories of sources, purposes of collection, and categories of recipients are described throughout this Privacy Policy. We retain personal information as described in Section 9.

10.5 Other State Privacy Laws

Residents of Colorado, Connecticut, Virginia, Utah, Texas, Oregon, Montana, and other states with applicable privacy laws may have similar rights. We extend the rights described in Section 10.2 to residents of those states as required by applicable law.

11. International Users

The Properties are operated in the United States and intended for customers and users in the United States. If you access the Properties from outside the United States, you acknowledge that your information will be processed in the United States, which may have data protection laws different from your jurisdiction. Where applicable law requires additional protections for international data transfers, we will implement such protections through appropriate contractual or technical measures.

12. Children

The Properties are not directed to children under 13, and we do not knowingly collect personal information from children under 13. If we learn that we have collected personal information from a child under 13, we will delete it as required by law. If you believe a child has provided us personal information, please contact privacy@bigforgeone.com.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time by posting a revised version on the Site with a new Effective Date. For material changes, we will provide reasonable notice through the Site or by email. Your continued use of the Properties after the Effective Date constitutes your acknowledgement of the revised Privacy Policy.

14. Contact Us

Questions, concerns, or requests regarding this Privacy Policy may be directed to:

Big One Platforms
Attention: Privacy
Email: privacy@bigforgeone.com

Big One Platforms is a trade name of Big One Platforms, Inc., a Florida corporation.

© 2026 Big One Platforms, Inc. All rights reserved.